diff --git a/src/cloudron.js b/src/cloudron.js
index d14b4e544..3836329e5 100644
--- a/src/cloudron.js
+++ b/src/cloudron.js
@@ -78,15 +78,17 @@ function onActivated(callback) {
     // 1. mail bounces can now be sent to the cloudron owner
     // 2. the restore code path can run without sudo (since mail/ is non-root)
     async.series([
-        (done) => reverseProxy.writeDefaultConfig({ activated :true }, done), // update IP based nginx config once user is created
         platform.start,
         cron.startJobs,
-        function checkBackupConfiguration(callback) {
+        function checkBackupConfiguration(done) {
             backups.checkConfiguration(function (error, message) {
-                if (error) return callback(error);
-                notifications.alert(notifications.ALERT_BACKUP_CONFIG, 'Backup configuration is unsafe', message, callback);
+                if (error) return done(error);
+                notifications.alert(notifications.ALERT_BACKUP_CONFIG, 'Backup configuration is unsafe', message, done);
             });
-        }
+        },
+        // disable responding to api calls via IP to not leak domain info. this is carefully placed as the last item, so it buys
+        // the UI some time to query the dashboard domain in the restore code path
+        (done) => setTimeout(() => reverseProxy.writeDefaultConfig({ activated :true }, done), 30000)
     ], callback);
 }